Goose Tool is a new free tool that can help network defenders identify potential malicious activity in Microsoft Azure, Azure Active Directory, and Microsoft 365 environments. It was developed by CISA and is available on their website. The Unidentified Goose tool, which was developed with the help of Sandia National Laboratories, provides network defenders with unique data collection and authentication techniques that can be used when investigating and analyzing their Microsoft cloud services.
According to CloudVulnDB, an open project that tracks vulnerabilities affecting major cloud providers, there is a long history of serious security flaws affecting Redmond’s flagship Azure, and defenders have long complained about the Lack of information about possible infections.
The Untitled Goose tool is a powerful and adaptable incident investigation and response tool. When network defenders interrogate and analyze Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments, the tool provides them with new authentication and data collection methods to use in the process. These methods can be used to detect potentially malicious activity. Goose, which was created by CISA in collaboration with Sandia National Laboratories, can be downloaded for free from the CISA GitHub repository.
Network defenders are encouraged to use the Untitled Goose tool to perform the following tasks:
• Export and review AAD login and audit logs; M365 Unified Audit Trail (UAL); Azure activity logs; Microsoft Defender Alerts for IoT (Internet of Things); and Microsoft Defender for Endpoint (MDE) data for suspicious activity.
• Conduct research on AAD, M365, and Azure configurations, as well as query and export related data.
When attempting to probe a large M365 tenant using UAL, network defenders may discover that manually collecting all events at once is not a practical option. Untitled Goose Tool implements creative data collection strategies by using unique mechanisms. The following are some of the capabilities network defenders have when using this tool:
• Extract cloud artifacts from Microsoft’s AAD, Azure and M365 environments without further analysis.
• Use the goose herding method to set time limits in the UAL.
• Use Goosey Hok to extract data while staying within allotted time limits.
• Query and collect data using comparable time limit capabilities for MDE data.
User’s Azure, Azure AD, and M365 environments can be used with the Untitled Goose tool.
Python version 3.7, 3.8, or 3.9 is required to run the Untitled Goose Tool. CISA suggests using this technology within a virtual environment.
The government organization said that cloud network administrators can use the tool to extract cloud artifacts from Microsoft’s AAD, Azure and M365 systems without further analysis.
Cyber security enthusiast. Information security specialist, currently working as a risk infrastructure specialist and researcher.
Experience in risk and control processes, security audit support, COB (business continuity) design and support, work group management and information security standards.
Send news tips to [email protected] or www.instagram.com/iicsorg/.
You can also find us on Telegram www.t.me/noticiasciberseguridad